Jump to content


Photo

Adware_FasterXP


  • This topic is locked This topic is locked
3 replies to this topic

#1 PenguinBoy

PenguinBoy

    Member

  • Full Member
  • Pip
  • 1 posts

Posted 20 April 2007 - 10:46 PM

Hello,

I do not have any popups appearing on my screen. However, I believe that my browser has been hijacked. I first noticed this when I attempted to update my Symantec Antivirus and it failed to access one of the virus definition files it had download. I retried the LiveUpdate a few times, but to no avail. A friend sent me a link to a manual download location on the Symantec site. When I tried the URL, it told me it was an invalid page, and the same happened for every page I searched in the Symantec domain. So far, all other pages seem to open normally. The antivirus did not pick up any infections upon a full system scan. I heard about Avast! antivirus, so I decided to uninstall Symantec and install Avast! Nothing came up for that scan either. However, an online scan from Trend Micro's Housecall came up with a single piece of malware, called "Adware_FasterXP". Housecall failed when it attempted to delete the malware. While running Avast! Antivirus, the "ashWebSv.exe" process crashed. Apart from the incorrect access of the Symantec domain and the failed LiveUpdate attempt, I have noticed no other blatant outward signs of a virus, trojan, etc. I have read the rules of preparation before posting and have installed and run all suggested software. Here are my log files from AVG Anti-Spyware 7.5 and HijackThis 2.0.0:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:33:56 PM 4/20/2007

+ Scan result:



:mozilla.37:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Advertising : Cleaned.
:mozilla.39:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Advertising : Cleaned.
:mozilla.40:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Advertising : Cleaned.
:mozilla.41:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Advertising : Cleaned.
:mozilla.34:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Atdmt : Cleaned.
:mozilla.15:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Casalemedia : Cleaned.
:mozilla.16:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Casalemedia : Cleaned.
:mozilla.17:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Casalemedia : Cleaned.
:mozilla.18:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Casalemedia : Cleaned.
:mozilla.19:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Casalemedia : Cleaned.
:mozilla.20:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Casalemedia : Cleaned.
C:\Documents and

Settings\PenguinBoy\Cookies\penguinboy@search.live[2].txt ->

TrackingCookie.Live : Cleaned.
:mozilla.23:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Netflame : Cleaned.
C:\Documents and

Settings\PenguinBoy\Cookies\penguinboy@ssl-hints.netflame[1].txt ->

TrackingCookie.Netflame : Cleaned.
:mozilla.21:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Paypal : Cleaned.
:mozilla.50:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Realmedia : Cleaned.
:mozilla.30:C:\Documents and Settings\PenguinBoy\Application

Data\Mozilla\Firefox\Profiles\f9swanms.default\cookies.txt ->

TrackingCookie.Statcounter : Cleaned.


::Report end


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:43:47 PM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\CoPilot\Navigator9\App\Spot2741.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\Cyb2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HotKey\HotKey.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\EXE Installers\Antivirus and Spyware

Protection\HiJackThis_v2.exe

F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus

G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2

Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common

Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotKey Driver.lnk = C:\Program

Files\HotKey\HotKey.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache

Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX

Scan Agent 6.6) -

http://housecall65.t...tive/x86/win32/

activex/hcImpl.cab
O22 - SharedTaskScheduler: Browseui preloader -

{438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. -

C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program

Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program

Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MySQL5 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Spot GPS Maxim (SpotGPSMaxim) - Koninklijke Philips

Electronics N.V. - C:\Program Files\CoPilot\Navigator9\App\Spot2741.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation -

C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation -

C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 6730 bytes


I would be happy to provide more logs or other information upon request.
Thank you very much for your time and help!

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 23 April 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 26 April 2007 - 09:13 AM

Hi,

Sorry for this delay.

If you still need help please submit a fresh HijackThis log.
Before you do remove the wordwrap function from Notepad.
You will find it under the Format menu.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,092 posts

Posted 07 May 2007 - 09:07 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button